read more

Trusted boot I think is just keeping track of what has run on the computer, it won’t stop the boot if it detects something it doesn’t expect.

Secure boot I believe will stop the boot if it detects tampering with the OS (that is, the hash of some OS code doesn’t match the signature that’s stored in the Trusted Platform Module (TPM)).

For this trusted boot, it’ll hash the BIOS and put the SHA1 computed hash into the TPM, and the contents of the TMP should be software-immutable, and I believe even resilient to some hardware tampering.

Problem with this trusted boot is that the OS is really loading a lot of stuff, and there’s a big performance penalty for this.